Epistemic Temporal Logic for Information Flow Security 



Musard Balliu Mads Dam Gurvan Le Guernic 

Royal Institute of Technology 

Stockholm, Sweden 
{ musard, mfd,gurvan}(§ kth.se 



Abstract 

Temporal epistemic logic is a well-established framework 
for expressing agents knowledge and how it evolves over 
time. Within language-based security these are central is- 
sues, for instance in the context of declassification. We pro- 
pose to bring these two areas together. The paper presents a 
computational model and an epistemic temporal logic used 
to reason about knowledge acquired by observing program 
outputs. This approach is shown to elegantly capture stan- 
dard notions of noninterference and declassification in the 
literature as well as information flow properties where sen- 
sitive and public data intermingle in delicate ways. 

Categories and Subject Descriptors D.3.1 [Programming 
Languages]: Formal Definitions and Theory — Semantics; 
F.3.1 [Logics and Meanings of Programs]: Specifying and 
Verifying and Reasoning about Programs — Logics of pro- 
grams; K.6.5 [Management of Computing and Information 
Systems]: Security and Protection 

General Terms Languages, Security, Verification 

Keywords Information Flow, Epistemic Logic, Noninter- 
ference, Declassification 

1. Introduction 

Information flow analysis and language-based security has 
been a hot topic for well over ten years now. A large array of 
specification and validation techniques have been proposed, 
involving security properties (multi-level security, manda- 
tory access control), semantical modeling techniques (trace 
conditions, simulations and bisimulations/unwinding condi- 
tions), and analysis and enforcement techniques (type sys- 
tems, dependency analyses of various forms). A critique that 
may be leveled at much of the past work, our own included, 
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is that it has not always managed to separate concerns very 
clearly. In particular, constraints in specification techniques, 
programming language features, and details and limitations 
in the enforcement/analysis mechanisms have been interde- 
pendent in such a way that it has often been unclear exactly 
what properties are enforced and how the various approaches 
relate to each other. Also, as pointed out by several authors 
||3][24]|, the policy specification mechanisms have often been 
interwoven with the object (the program) on which the pol- 
icy is to be enforced in a manner that makes it hard to sepa- 
rate policy concerns from enforcement concerns. 

A common feature in much recent work on information 
flow analysis, cf. Hill] has been the appeal to the con- 
cept of knowledge as a fundamental mechanism to bring out 
what security/confidentiality property is being enforced (the 
"revealed" knowledge) and compare it with the knowledge 
allowed by the policy. This appeal to knowledge, typically as 
equivalence relations on initial states (or partial equivalence 
relations ll27l ). has been important to produce clear, external 
reference conditions on which e.g. soundness arguments can 
be based. Knowledge, as it happens, is at the root of an entire 
branch of logic, namely the logic of knowledge, or epistemic 
logic. In this paper we aim to show that the epistemic logic 
account of knowledge is compatible with the knowledge no- 
tion which has emerged within language-based security, and 
can have a valuable role to play for policy specification. 

Temporal epistemic logic is a well-established framework 
ifTZll which can be used in distributed systems to reason about 
knowledge and how it evolves over time. Temporal epis- 
temic logic adds epistemic connectives K and L to famil- 
iar temporal connectives such as G (always) and U (until). 
Those epistemic connectives relate agents local state to the 
possible global states that are consistent with the agents lo- 
cal observations. The property K <f> expresses that an agent A 
observing a program "knows" <fi in the sense that <fi holds in 
all states that are possible given A's past observations. Du- 
ally, L<fi expresses that some observationally equivalent state 
exists for which <f> holds. Thus, as an example, the property 
6 = G(C —> W L(h=v)) expresses that whenever some 
condition C holds then, as far as the attacker can tell, any 
value of h is possible (and so the value of h is unknown and 
not released to the attacker). 



In this study we apply temporal epistemic logic to stan- 
dard sequential while programs augmented with a public 
output statement, in order to allow a program to "gradually 
release" [ 1 1 information concerning its initial state. The pro- 
gram model is turned into a model for temporal epistemic 
logic in the style of interpreted systems [ 12 1. This is done by 
defining an S5 perfect recall epistemic accessibility relation 
using the simple and intuitive idea that two execution states 
should be regarded as being epistemically the same if they 
have been reached by identical traces of publicly observable 
output, i.e. such that an observer cannot tell the two states 
apart. In particular, if there exists an execution sequence pro- 
ducing a trace r and ending in a state refuting property <fi 
then the attacker is forced to hold ^0 for possible. 

Our main objective with this paper is to show that tempo- 
ral epistemic logic is an interesting and natural device with 
which to express information flow policies for imperative 
programs. We show this partly by example, and partly by 
demonstrating how various state-based security conditions 
related to noninterference |[T5l[T6l (absence of "bad" infor- 
mation flows) and declassification [28| (intended release of 
information) can be characterized using the logic. 

We are not the first to apply epistemic logic in the context 
of computer security. The concrete link between language- 
based security and temporal epistemic logic which we point 
out in this paper appears, however, to be new. BAN logic 
and successors use epistemic concepts to model agents 
changing knowledge and belief in security protocols. BAN 
logic, however, suffered from a lack of an intuitively accept- 
able semantics (the problem of logical omniscience), some- 
thing that has only been remedied recently 1 1 1 1. Post-BAN 
work in security protocol verification has to a large extent 
focused on Dolev-Yao types of direct knowledge extraction. 
This approach works well for many concrete protocols, but 
it is not adequate to capture the types of indirect channels of 
high importance in language-based security. For formal anal- 
ysis of distributed protocols and multi-agent systems, epis- 
temic logic and various extensions have extensive histories 
|H2|. Much recent work in the area has focused on model 
checking Ifl3ll23l . Applications of epistemic concepts have 
been made in process calculi such as the applied 7r-calculus 
[8 1 and CCS [20 1 and to model protocols for instance in the 
area of electronic voting J5). A precursor of our approach 
is Askarov and Sabelfeld's gradual release model [1 1 where 
attackers knowledge is modeled as equivalence relations on 
initial states. In the paper we look into this relationship in 
more detail and show how gradual release and a number 
of other possibilistic state-based security conditions can be 
characterized using temporal epistemic logic. 

In Section |2]we set up the underlying computational 
model. SectionB] introduces the syntax and semantics of 
linear time temporal epistemic logic on these models, and 
shows how the model relates to the standard interpreted sys- 
tems model 021- We then turn to various well known secu- 



rity conditions from the literature, including noninterference 
and different flavors of declassification along the dimensions 
considered by [28] in Sect.|4]to|7] We finally point out some 
open issues and directions for future work. 

2. Computational Model 

In this section we set up our language's basic computational 
model. We study a simple while language extended with a 
synchronous output statement that, over the course of a com- 
putation, causes information to be leaked to an observer. 
Besides the output statement "out(e)", the features of our 
while language are commonplace: assignments, condition- 
als, while loops, a primitive data type of values belonging 
to a finite set Vol. The grammar of the language is given 
in Fig{T] Programs are ranged over by P, identifiers by x, 
values by v, and expressions by e. 

P ::= skip | out(e) | x:=e \ P\ ; P 2 

| if e then P else P | while e do P 

Figure 1. Programming language grammar 

A store is a finite map a : x i-> v, and er(e) is the 
value of e in store a. An execution state is a pair (P, a). 
The execution of a program generates observable actions 
(or events) belonging to Act and ranged over by a (Act = 
{out(v) I v G Val}). The transition relation (P,cr) —> 
(P',a'), or (P,a) -> (P',a'), states that by taking one 
execution step in the execution state (P, a) the execution 
generates the visible event a, if it is present, and the new 

(a) 

execution state is (P',a'). We write (P,<r) > (P , er ) 

where a is optional. 

Definition 2. 1 (Execution). 

An execution is a finite or infinite sequence of execution 
states. 

TT = (P , a ) > ■ ■ ■ > (P n , a n ) > ■■■ (1) 

The execution tt is maximal // tt is a prefix of the execution 
tt' only if it = tt'. 

We write len(ir) for the length (number of transitions) 
of the execution tt. An execution point, or simply point, 
is a pair (tt, i) where < i < len(ir). An execution 
point (w, i) represents the state of the execution tt after i 
steps. We write trunc{ir, i) for the prefix of tt up to, and 
including, execution state (Pj,o"j), the i th execution state 
of tt. We extend the notations as follows: tt(i) = (Pi, <7j), 
P(7r, i) = Pi and g(tt, i) = Oi. 

In our model, the power of the attacker is modeled by pro- 
viding a function trace mapping execution points to traces 
that represent what the attacker has been able to observe so 
far. In particular, trace(TT, i) can span from the truncation 



function trunc(TT, i) for the strongest attacker able to see 
all the internal computation, to the function returning the 
last event generated for a weak memory-less attacker. For 
the standard noninterference attacker able to observe a set 
of identifiers X during the execution, trace is the function 
returning the sequence of stores <x, (0 < j < i) restricted 
to the domain X and where identical consecutive stores are 
collapsed. In the remaining of this paper, we use the func- 



tion trace given in Def. 2.2 This definition corresponds to 



the perfect recall attacker, i.e. only able to observe outputs 
and having memory of past observations. 

Definition 2.2 (Trace). 

A trace r is an element of Act* . trace(ir, i) is the sequence 
of events ctj such that < j < i and ctj exists. The defini- 
tion of trace is trivially extended to executions, such that 
trace(jr) = trace(TT, len(Tr)) 

The trace of the execution ([!]) is: (ao)(ai) • • • (a„) • • • 

A model A4 is a set of maximal executions. Normally we 
take as a model the set of all maximal executions originating 
from some designated set of initial states, for instance of the 
shape (P , do) where P is a fixed initial program. We write 
M(P) for the set of all maximal executions started at all 
initial states (P, Co) for all initial value stores <jq. An epoch 
is a set of points reachable by observing a given trace, i.e. 
M. is implicit, 

epoch(r,M) = 

{(■7T, i) \ ir <E A4,0 < i < len(ir), trace(n, i) = t} 

The epoch of a trace r precisely captures the knowledge 
obtained by observing r (in the present possibilistic set- 
ting, and ignoring lower level features induced by compil- 
ers and run-time systems). For instance, if all points (tt, i) € 
epoch(r, A4) have the property that the store at that point 
assigns to i a value between 3 and 5, say, then this fact is 
known to the observer once she has observed the trace r. In 
other words, epoch induce a relations of "equivalent knowl- 
edge". Indeed, epochs induce on points a standard epistemic 
S5 modal accessibility relation ~ by the condition: 

(n,i)~(ir',i') 
<S4> (tt, i) £ epoch(r, Ai) implies (7r', i') £ epoch(r, M.) 
trace(iT, i) — trace (tt' , i') 

3. Linear Time Epistemic Logic 

Reflecting the temporal and epistemic structure of models, 
we propose to use temporal epistemic logic to express dy- 
namic information flow properties of programs. Many such 
logics have been considered in the literature 1121 . Here we 
propose to work with a standard, very general and expressive 
logic in the family of temporal epistemic logics, namely the 
linear time temporal epistemic logic KL\ without the Next 
operator, in this paper referred to as Cku- 



Definition 3 . 1 (Syntax of Cku)- 

The language Cku of formulas (j), ip in linear time temporal 
epistemic logic is given as follows: 

<fi,ip ::= ei = e2 | init x (e) \ ())Aip \ ^(f> \ Ktfi \ iplfip 

Besides boolean identities (ei = e-£), the language contains 
additional atomic propositions init x (e) expressing that the 
value x in the initial state is identical to the value of e in 
the current state. The operator K is the epistemic knowl- 
edge operator. Kcf> holds if <fi holds in any state equivalent 
to the current state. In our setting, two states are considered 
equivalent if the same sequence of outputs has been gener- 
ated before reaching them. The operator U is the standard 
(strong) until operator. The formula <fiUi/j holds if tp holds 
in a future state and <fi holds until reaching that state. 

Various connectives are definable in Cku including stan- 
dard derived boolean operators such as V and — >, the truth 
constants tt and ff, universal Vx and existential 3x quan- 
tifiers over the finite set of values, the epistemic possibility 
operator L<f> meaning that <f> holds for at least one epistem- 
ically equivalent state, the future operator F(f> requiring <fi 
to eventually hold in the future, the "always" operator G(j) 
meaning that cf) holds in any future state, and the weak un- 
til (j> Wip which does not require tp to eventually hold. In 
the remainder of the paper, we use the above connectives as 
syntactic sugar with the following definitions. 

Definition 3.2 (Syntactic sugar V, 3, L, F, G and W). 

Vx.<fi= A 4>[v/x] 3x.c/)= W <j)[v/x\ 

v£ Val u6 Val 

Lcj) = ^K(^(t)) F<j)=ttUcj) G(f> = ^{F^4>) 
(f>Wip= ((j>Uip) V G<t> 

Since there is no input statement in the programming 
language, the only way for secrets to enter a computation 
is through the initial state. This, and also the lack of past- 
time temporal connectives which would in a more general 
setting of reactive programs be a natural device to record 
past inputs, explains the purpose of the initial state predi- 
cate init x (e) which plays a critical role in capturing what 
is known "now" of the initial store. It has to be noted that 
if e is independent from the current state then, as the initial 
value of x does not change over time, the majority of tem- 
poral variations of init x (e) do not change its semantics as 
long as the computation has not terminated yet (init x (e) — 
Finit x (e) = Ginit x (e) = <j)U init x (e)). 

Noteworthy, also, is that outputs are not reflected in the 
syntax of the logic by corresponding operators or constants. 
The reason is that output events are of no intrinsic interest to 
us; they are relevant only in terms of their effect on observer 
knowledge, of which states are considered equivalent with 
regard to operators K and L. 



Definition 3.3 (Satisfaction). 

Fig. ^defines the satisfaction relation A4,(tt,i) \= <j) 
between points in a model A4 and formulas. If the model A4 
is clear from the context, we write (tt, i) |= <f> or tt, i (= <p 
for M., (tt, i) \= (f>. Satisfaction relative to model M. or 
program P is: 

M\=<f> iff VttgX, M,(tt,0) h0 

P h <t> iff M(P) h 

In terms of epochs the formula if expresses that holds 
for all points in the current epoch; and, dually, Lcf) expresses 
that <j) holds for at least one point in the current epoch, or in 
other words, that the observer is unable to rule out -^<p on the 
basis of the outputs received so far. 

EXAMPLE 3.1 (Basic example). If the point (tt, i) satisfies 
the formula G(x — 5) then, in all future execution points 
of tt, variable x has value 5. If (tt, i) satisfies the formula 
F(Kcf>) then there exists a point (7T,j) (with j > i) for 
which (f> holds for all points (tt 1 ,j') (including (it,j)) having 
the same trace as (tt,]) (trace(ir,j) — trace (tt' ,j'), i.e. 
execution tt' after j' steps has generated the same output 
sequence as execution tt after j steps). Combining both 
previous formulas, if (tt, i) satisfies the formula FKG(x = 
5) then there exists a trace t of a future point (tt, i)for which 
x equals 5 in every future point of any point having trace r. 

Example 3.2 (It is always possible to lose). At the pro- 
gram level, if GLF(lost = tt) for program P then, for 
all potential traces r of P, there exists an execution of P 
which at one point has generated the trace r and for which 
lost will be equal to tt at some point in the future. In other 
words, if tlie initial state of an execution of P is unknown, 
whatever output sequence is observed, it is impossible to 
rule out the fact that losing in the future is still possible. 

Example 3.3 (Eventually, the initial value is deducible). 
Still at the program level, ifBv. FKinit x (v) holds for pro- 
gram P then for all executions tt of P there exists a value v 
and a point (tt, i) which generates a trace r for which, for 
any execution tt' of P, all points (tt' , i') generating the same 
trace r (including (tt, i)) are such that the initial value of x 
is v. In other words, any execution of P will, at some point, 
have generated an output sequence from which it is possible 
to deduce the initial value of x. 

3.1 Relation to Standard Models of Knowledge 

Kripke structures are commonly used to give semantics to 
modal logics, and hence by extension to epistemic logics 
as well fl2l . A Kripke structure (for a single agent) is a 
triple (S,T,IC) where S is a set of states, T is a valuation 
assigning to each atomic proposition a predicate on S, and JC 
is a binary accessibility relation on states such that (s\, s 2 ) G 
K, if from the observations made by the observer while in 
state s\, it is equally possible to be in state s 2 . For a given 



model Ai, let Sm be the set of all the execution points (tt, i) 
of the executions tt of A4; let 7m be the function taking each 
atomic proposition of the shape "ei = e 2 " or "init x (e)" to 
the set of points for which the proposition holds according 
to Def. |3.3| and finally, let /Cm be the binary relation ~ 
defined at the end of Sect. [2] Then (SmjTm,K,m) is a 
Kripke structure for which the standard definitions of the 
knowledge operators have the same semantics as the one 



provided in Def. 3.3 



Interpreted systems are a refinement of Kripke structures 
used to define the semantics of epistemic logics lfl2l l23l 
in terms of multi-agent systems. Roughly, an interpreted 
system is a pair (TZ, 7"), where 72. is a set of runs r as 
functions from time to global states. A global state is a 
tuple composed of an environment state and one state for 
every agent in the system. Similarly as in the case of Kripke 
structures, 7 is a function stating if a state formula holds 
on a given global state. For a given model A4, let Hm be 
the set of runs r n such that tt e M. and r(i) is the pair 
composed of the environment state trunc(iT, i) with actions 
removed and the agent/attacker state trace(TT, i). Let 7 be 
defined for formulas of the shape "ei = or "init x (e)" 
according to Def. |3.3| as a predicate on global states. The 
semantics of the knowledge operators provided in Def. 3.3 
is equivalent to their standard semantics over the interpreted 
system (TZ M , Tm)- 

4. Noninterference 

We now discuss how the logic applies to information flow 
security properties, adapted to the present setting of output- 
only imperative programs. We first consider the concept 
of noninterference fl6l . In a language -based setting and 
considering a two-level security lattice only, noninterference 
in a relational (initial-final state) setting requires that no 
information about initial values of high identifiers (which we 
want to protect) can flow to final values of low identifiers 
(which the attacker can observe). This condition is easily 
adapted to the present setting of output-only programs by 
instead prohibiting high flow to the public outputs. 

Write (Ti era if the two stores o\ and a% are equivalent 
with regard to a set of identifiers x, i.e. Va; £ x. cri(x) — 
<T2 (x). Fix now a set of low identifiers I, and let h be its 
complement, the high identifiers. 

Definition 4.1 (ONI). 

A program P satisfies output-only noninterference iff: 

V7ri,7r 2 G M(P). 

g(tti,Q) R^cr(7r 2 ,0) => trace(TTi) = trace(TT2) 

Intuitively, the definition states that there is no information 
flowing from h to the attacker if for any maximal execu- 
tion having trace t, all maximal executions started with the 
same values for I produce the same trace. In other words, all 
initial secret values (h) might have given rise to the output 



M, (tt, i) \= ei = e 2 iff <j(tt, i)(e x ) = a(ir, i)(e 2 ) 

M., (tt, i) \= init x (e) iff ct(tt,0)(x) = a(7r, i)(e) 

M, (it, i) \= (f> A tp iff (tt, i) |= 4> and (tt, i) |= -0 

M(7r,i) (=-.0 iff (tt,*) ^0 

At, (7r, i) |= iff V7r' G Af, V(tt', i') G 7r' such that trace(n, i) = traced' ', i'), (tt' , i') |= 

Af , (7r, i) \= <f> Utp iff 3j : i < J < len(iT) such that (7r, j) |= r/> and \/k : i < k < j, (tt, k) \= <f> 

Figure 2. Formulas satisfaction at execution point 



sequence that an attacker is observing. It is worth noting that 
this definition subsumes standard noninterference. Indeed, 
we only need to modify program P by outputting the values 
of low identifiers (I) whenever they are observable. Termina- 
tion sensitivity can also be added by a final dummy output. 
We now show how ONI can be encoded in our epistemic 
framework. 

Definition 4.2 (ESP). 

ESP = Vu. (init-?(v) — > Vu. L(init?(v) A init^(u))) 

The formula ESP is satisfied at a given execution point if ev- 
ery initial secret is possible among the execution points hav- 
ing the same trace and initial public values. In our epistemic 
framework, we claim that a program does not reveal any se- 
cret if all its execution points satisfy ESP, i.e. every initial 
secret is possible for every trace and public inputs generat- 
ing such trace. 

Definition 4.3 (AK). 

A program P satisfies absence of knowledge iff: 
P |= G(ESP) 

We first give some examples to show how the logic applies 
to programs wrt. standard noninterference and afterwards 
prove the equivalence of the above definitions. 

EXAMPLE 4. 1 . Let P ::= x := y;out(y) be a program 
over booleans with x G h,yE I. Then P satisfies ONI since 
the initial value of y never changes. We show that P satisfies 
AK. Consider a model Ai associated with program P where 
the store is a pair (x, y). Then 

7Tl = (tt, tt) -> (tt, tt) 4 (tt, tt) 

M .. = J ^ = (tt,ff)^(ff,m^w,ff) 

I ^2 = (ff,ff)^(ff,ff)^(ff,ff) 
y TTi = (ff, tt) -> (tt, tt) 4 (tt, tt) 

One can verify, by case analysis, that M \= G(ESP). 
Consider for instance tt^. Then v = tt and TT±,i |= 
inity(v) holds for all < i < 2. We show that tt^, i |= 
\/u.L(init y (v) A init x (u)) for all i. For i G {0,1}, 



trace(ir^, i) — e, so we can find (tt\, 0) and (tT2, 0) if u = tt 
and U = ff, respectively. If i = 2 and u = tt, then (tt\, 2) 
has the same trace and initial value; otherwise, if u — ff, we 
pick (-7T4, 2). Similarly, the condition holds for other cases. 
Let now P ::= x := y; out(y) with x G I, y G h. Then, P 
falsifies ONI since we output the secret value y to public out- 
put. We show for model M. that M Y= G \fv.(init x (v) — > 
V 'u.L(init x (v) Ainit y (u))) i.e. 3iT3i3v.init x (v)A3uMTT' . 
V V .trace(ir , i) — trace (tt' , i') then tt', i' ^= (init x (v) A 
inity(u))). In particular, tt^ is a counterexample. Set v = tt 
and u — tt; the only executions having the same trace as 
TT3 are tt 2 and tt^. However, <j(it2, 0)(#) = ff =/= v and 
a(TT 3 ,0)(y) = ff ^ u. 

LEMMA 4.1 (Initial values stability). For all vectors of 
values v and identifiers x: 

tt, |= initg(v) implies V(7r, i) G tt : tt, i \= initg(v) 

PROOF. Immediate. By definition of satisfaction relation 
tt, i \= inits(v) iff o(tt,0)(x) = v. □ 

Proposition 4. 1 (Equivalence of ONI and AK). For all 

programs P: 

P \= ONI iff P\=AK 

PROOF. Assume P satisfies ONI. By definition, given 

7Ti, then for all tt 2 . <x(7ri,0) ct(7t 2 ,0), trace(TT±) = 
trace(TT 2 ). In particular any two equal traces have equal 
prefix traces of same length. We show that tt G M.. 7r, j= 
G Vv.(init?(v) — > \/u.L(initj(v) A initAu))). Pick any 
tt G M. and v G Val; then we show for all < i < len(Tr). 
tt, i |= (init-j-(v) — > yu.L(initj(v)Ainit^(u))). Namely, as- 
sume tt, i |= initj(v) then for any u G Val tliere exists tt' , i'. 
trace(TT, i) = trace (tt' , i') A (tt' , 0) |= init?(v) A init^(u). 
Let now M a C M. be such that^TT G M. a - ct(tt,0)(1) = a. 
Then A4 = U ae V ai Ma ■ By ONI condition, for all tt G 
M a . trace(Tr) = r for some trace r and any initial h. Then, 
using Lemma \4.1\ and chopping off execution tt we get the 
result for all (tt, i). The same argument can be used for any 
M. a , so we are done. 

(<=) Suppose now ^tt G M., tt, |= G \fv.(inity(v) — > 



\/u.L(initj(v) A initAu))). We show ONI holds. By hypoth- 
esis, pick 7r €E M. with cr(n, 0)(l) = v, then we show that 
for all 7r' such that cr(7r', 0)(Z) = v, trace(Tr) = trace(ir'). 
By hypothesis, given n, in particular it is always possible to 
find 7f' with same initial values v, for any u having the same 
trace. □ 



Example 4.2. Let P be a program manipulating two pri- 
vate variables h\ , h 2 over boolean domain. 

P ::= if hi then out(^/i 2 ) else out(/i 2 ) 

The program is not secure since it reveals whether the secrets 
are equal or not i.e. hi = h 2 . In fact, for all input states 
where hi = h 2 i.e. (tt, tt), (ff,ff), P outputs ff, otherwise 
it outputs tt and this is captured by Def. \4.3\ 

On the other hand, we will see in the following section that 
if one agrees to declassifies (f> := hi = h 2 then Def. 5.3 will 
deem the program secure. 



5. Declassification: What 

Noninterference guarantees an end-to-end confidentiality 
policy, namely as soon as a program conveys 1 bit of se- 
cret information, it is ruled out by the condition. In real 
applications this policy turns out to be restrictive, as in many 
scenarios partial information leakage is considered admis- 
sible. Declassification policies handle those acceptable, or 
even desired, information leakages [28 1. For example, a cus- 
tomer may be allowed to access a scientific article (secret 
data) once she has paid the registration fee to some on line 
provider. In this case, an intentional release of secret infor- 
mation is needed. Declassification has been recognized as 
one of the main challenges in information flow security l25l . 
The main concern is to prove that declassification is safe and 
the attacker is unable to compromise the release mechanism 
and disclose more sensitive information than stated in the 
policy. Many authors have addressed the problem from dif- 
ferent points immHiioiiniEa. In p articuiar ' in eh> the 

authors present a classification of different flavors of declas- 
sification. In this section and the following ones, we show 
how our temporal epistemic framework captures in an ele- 
gant way those dimensions. 

One way of modeling declassification is by means of a 
predicate <j> over initial values which expresses the prop- 
erty one intends to declassify. In that case, one has to make 
sure that states having the same property <p can not be dis- 
tinguished by the attacker. This idea originates from selec- 
tive dependency | 10 1 and corresponds to the What dimension 
l28l . In particular, the programmer should specify a global 
declassification policy <f> and the enforcement mechanism 
has to ensure that no information other than what is speci- 
fied in the policy can be disclosed by the attacker. For ex- 
ample, the information system of a company can release the 



average salary of an employee, but it shouldn't be possible 
to reveal, for instance, the salary of a certain employee. Let 
o"i ~0 °2 denote equivalent states according to the declassi- 
fication policy <f)i.e. o"i (</?>) = o"2 (</>)• 

Definition 5.1 (NID). 

Let 4> be a global declassification policy. A program P sat- 
isfies noninterference modulo declassification <fi iff: 

Wi,ir 2 eM(P). 

0(tti, 0) «| ct(7t 2 , 0) A ct(tti, 0) « a{ir 2 , 0)) 

=> trace(iri) = trace(TT 2 ) 

The definition of NID specifies that any initial state having 
the same public values and agreeing on <j> should produce the 
same output trace. 

Let us now see how global declassification policies can 
be expressed in our model. We first introduce the formula 
ESPM. An execution point satisfies ESPM($) where $ is a 
set of declassification policies iff, among the other execution 
points having the same trace and initial public values, every 
initial secret agreeing on $ is possible. 

Definition 5.2 (ESPM). 
ESPM($) = f 

V«i. Vmi. init-j^(vi) A init^ui) — > 

Vm 2 - ( f\ <f>(vi, ui) = (f>(vi, u 2 )) 



L(init-^(vi) A init^{u 2 )) 



Proposition 5. 1 (Equivalence of ESP and ESPM(0)). For 

all execution points (-7T, i): 

(Tr.i) |= ESP iff (tt,») hESPM(0) 

PROOF. This proposition follows directly from the fact that if 
$ is empty then A^g* ' s vacuously true and init^(ui) holds 
for at least one vector of values Ui. □ 



PROPOSITION 5.2 (Monotonicity of ESPM). For all exe- 
cution points (tt, i) and sets of declassifications $ and ^: 

(n,i) \= ESPM($) implies \= ESPM($U*) 

PROOF. This proposition follows trivially from the second 
implication in the formula of ESPM. Whenever the left part 
of the implication A^g^u* holds then A</>e$ fl ^° holds; and 
the right part of the implication is the same in both cases, so 
if the L formula holds with $ it still holds with $ U ^. □ 



Corollary 5.1 (ESP subsumes ESPM). For all execu- 
tion points (-7T, i) and sets of declassifications $: 

(tt, i) |= ESP implies (= ESPM($) 



PROOF. This is a direct corollary of Prop, \5.1\and\5.2\ □ 



Definition 5.3 (AKD). 

Let 4> be a global declassification policy. A program P sat- 
isfies absence of knowledge modulo declassification <p iff: 

P h G(ESPM({0})) 
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Figure 3. Knowledge and Declassification 

Figure [3] illustrates the intuition behind our security con- 
dition. The graphic presents the knowledge about initial se- 
crets that an attacker gains by observing a certain trace 
t = 01O2O3 as function of time elapsed from the begin- 
ning of computation. The black solid line shows the evolu- 
tion of attacker knowledge at each output point and in par- 
ticular how it can possibly increase in each epoch. Initially 
the attacker has knowledge about public identifiers. On the 
other hand the red dotted line shows the global declassifi- 
cation policy represented by a predicate <f>. As long as the 
solid line remains below the dotted line the declassification 
is safe, namely the attacker knowledge is smaller than the in- 
formation released intentionally prior to program execution. 
In this case, one can see that after the second observation 
point 02 the attacker learns more than the policy allows, thus 
the program becomes insecure. 

Proposition 5.3 (Equivalence of NID and AKD). For all 

programs P: 



P |= NID iff P |= AKD 



PROOF. The proof is similar to the one for Prop. 4.1 



□ 



It is worth noting that if the declassification policy states 
'Wo secret information can be leaked", then the property 
becomes <f> = tt and AKD will correspond to AK. We 
illustrate the above condition by means of an example. 

EXAMPLE 5.1. Consider the program P with h 6 h. 

P ::= if (h = 0) then out(l) else out (2) 

One can spot an implicit flow due to dependence on a condi- 



tional on secret h. Let Ai be a model of P. To falsify Def. 4.3 
pick 7r such that a (it, 0)(Z) = o~(it, 0)(h) = 0. Then, pick tt' 
such that <j(tt' , 0)(Z) = and a(rr , 0)(/i) ^ 0. It is easy to 
see that trace(ir) ^ traceirr'). Suppose now we declassify 



the zeroness of h i.e. <fi := (h = 0). All executions originat- 
ing from h = produce the same trace i.e. output 1. On the 
other hand, all executions originating from ~^4> :— (h 7^ 0) 
also produce the same trace, i.e. output 2. Hence, the pro- 
gram is secure. It is worth to noting how Def. \5.3\ rules out 
programs that reveal more than what is allowed by the de- 
classification policy. Suppose we want to declassify the sign 
of identifier h, namely 4> '■= (h > 0). Then, P becomes in- 
secure since the attacker is now able to distinguish between 
values having the same property (f>. In particular let h± = 
and h,2 = 1, so 4>{h\) = (j)(hi). In that case P outputs 1 and 
2, respectively, so it is deemed insecure. 

Abstract Non-interference Abstract Non-interference (ANI) 
is an abstract interpretation based approach for modeling and 
certifying information flow properties^. This framework 
characterizes different qualitative aspects related to global 
declassification policies and attacker observational power. 
In particular, using the notion of abstract domain, the au- 
thors give an extensional model of what an attacker is al- 
lowed to see of public data (attacker power) and of what she 
is allowed to disclose of secret data (declassification). For 
example, let P be a program with I €l,h G h. 

P ::= if (h > 0) then I := 21 * h else I := 21 * h + 1 

Clearly, there is an direct flow to public identifier I which 
conveys the value of secret h. However, if one is interested 
in releasing only the sign of secret identifier h in input and 
considers a weaker attacker who is able to observe only the 
parity of identifier I in output then P will be secure. Indeed, 
fix the initial value of low identifier I and consider initial 
values of h in input having the same sign, say h < 0. It can 
be easily seen that the final value of I will have the same 
parity; in this case it will correspond to an odd value. This 
definition is called Narrow ANI via allowing [21 1. Let r], tfi, p 
be the abstract domains for public input, declassified private 
input and public output, respectively. 

Definition 5.4 (NANI). 

A program P satisfies Narrow ANI, {rj)P{<j> => p), iff: 

V/i, h € r,V/ii, Eh: 

V (h) = 11(h) A (t>{h) = <f>(h 2 ) 

^ P ({P}(h u h)) = P (lP}(ha,h)) 

Basically it states that for any initial public values having 
property r\ and for any private initial values having property 
cp, the result of the computation has property p over public 
outputs. In particular the previous example corresponds to 
checking (Id)P(Sign => Par). 

There is a nice relation between NANI and our epistemic 
framework. One can look at the abstractions over public in- 
put domain and public output domain as abstractions over 
channels receiving and releasing these values, respectively. 
More concretely, suppose one wants to check NANI for 



(rj)P(<j> => p). In order to model the attacker power in output 
we can use the output actions out(e) and check the follow- 
ing formula wrt. a model A4 of the program P; out(p(l)). 
Given a pair (u, v) we denote by fst and snd, respectively, 
the first and the second component of such a pair. 

Definition 5.5 (AAK). 

A program P satisfies abstract absence of knowledge w.r.t. 
abstractions p, r\ and <p iff: 

P ;out(p(l)) \= G(ESPM({r}ofst,<i)o snd})) 

On the other hand, the public input abstraction 77 deserves 



some explanation. It can happen that Def. 5.5 fails because 
the attacker is able to distinguish two input states having 
the same property r/. Consider a model A4 of the program 
P ::= / := 21 * h 2 ; out (Sign (I)) where 77 = Par and 
cf> = Id. Let 7r be a maximal execution originating from ini- 
tial state a such that a(ir,0)(l) = 2 and <j(tt,Q)(K) = 1. 
Then one can find another maximal execution tt' such 
that cr(7r',0)(0 = -2 and a(ir', 0)(h) = 1. Clearly 
Par(cr(7r,0)(0) = Par(CT(7r',0)(0) and 4> = tt, while the 
sign of the outputs are different i.e. Sign (4) 7^ Sign (—4). 
In Q3] this is called deceptive flow, since it only depends 
on variations of public inputs. However, if one interprets the 
public input abstraction r\ as secret knowledge that should 
not be controlled or disclosed to the attacker then it is reason- 
able to rule out the program above. Indeed, here the attacker 
is disclosing a property stronger than Par since she observes 
variations of the sign for inputs of even parity. 
We now show the equivalence of these definitions and post- 
pone a further investigation of relation to abstract non- 
interference as future work. 

Proposition 5.4 (Equivalence of NAM and AAK). For 

all programs P: 

P |= NAM iff P h AAK 

PROOF. It is enough to observe that the abstract domain p 
in NANI can be considered as a predicate over public output 
states. In that case the output action in AAK models the same 
property. □ 



We conclude this section by discussing an interesting exam- 
ple. 

EXAMPLE 5.2. Let P be a program that manipulates a se- 
cret variable h £ h, initially known to range over non- 
negative numbers up to some constant max. We express this 
fact by a declassification policy (f> = < h < max. Then 
P is secure since it outputs the same sequence of numbers in 
every run. 



P ::= 



x := 0; 

while (x < h) do out(x); x + H 
while (x < max) do out(:r);:r 



Program P satisfies De f\5.3\ Too see this, consider a model 
M of P, a maximal execution tt originating from uq = 
(maxQ, xq, /i ) and any point i. < i < Zen(7r). Assume 
4>(ho) holds, then for all values hi such that 4>(hi), it is pos- 
sible to find an execution tt' originating from (maxo, Xq, hi) 
and a point i' such that trace(TT,i) = trace(TT f , i'). In 
fact, all executions produce a increasing trace of numbers 
of length at most maxQ. If 4>(htf) does not hold then all exe- 
cutions produce the empty trace. 

6. Declassification: Where 

Another well-studied form of declassification regards where 
in the system sensitive information can be released. In our 
framework, the only way to leak secret information is by 
means of output operations. In particular, any flow of infor- 
mation from a high identifier h to a low identifier / is per- 
fectly fine as long as secret data is not being output. It is ir- 
relevant at which point of a certain epoch the declassification 
occurs. For this reason, assume that declassification takes 
place together with the output actions. We model the release 
points in the code by special boolean flags r e initially false 
and once set to true the program can release the value of ex- 
pression e. Moreover, the flag can no more be updated once 
it is set to true. Assume we are given a set of release points 
interspersed in the program, say 1Z P — {r ei , • • • , r 6n }, and 
the corresponding release expressions 1Z = {ei, • •■ , e„} 
then the goal is to check whether program P leaks more in- 
formation that what the programmer has already allowed to 
be disclosed by means of the release points encountered so 
far. It is worth recalling that our model intends to protect 
the initial value of secret data, not the current ones. This ob- 
jective is in line with most other work on noninterference. 
Let V(JV) be the power set of 1Z and £ be the complement 
of £ in 7Z. The formula expressing the absence of attacker 
knowledge is given next. 

Definition 6.1 (AKR). 



Let {r e 



e n } be the boolean variables, initially false, 



serving as flags for the release policy TZ. A program P 
satisfies absence of knowledge modulo release TZ iff: 

P h G \/ (ESPM(£) A /\ r ei A /\ -r 6j ) 



££V(1Z) 



e 3 e£ 



Note that the conditions above are mutually exclusive with 
respect to release points, namely given tt and i, only one 
formula in the disjunction holds and that corresponds to the 
one with release points set to true in execution truncirr, i). 

EXAMPLE 6.1. Consider program P with hifhq £ h and 
I £ I 

I := hi; r hl := tt; ont(l); I := h 2 ; r h2 := tt; out(l); 

Stores are vectors (I, hi, ha) and h is the high store (hi, h 2 ). 
Intuitively P is secure since the value of a secret is always 
declassified before being output. Pick tt £ A4(P). We show 



that Def. 6.1 holds for (7r,0). Initially £ = is the only 
candidate such that f\ e e£ r Ci A A e e£ ~ nTe j- ^ rema ' ns to 
prove that tt,0 \= ESPM(0). This trivially holds until the 
first release point as the trace of any execution up to this 
point is empty and any execution generates an empty trace 
at some point. Then, we move on to (tt, 2) which is the first 
execution point after setting the first release flag. At this 
point, ESPM({/ii}) is required to hold. For the same reason 
as above, ESPM(0) holds and by Prop. [O] ESPM({/ii}) 
also holds. The trace of (tt, 3) is "hi ", where hi is the initial 
value of hi, and ESPM({/ii}) is still the formula required to 
hold. Among all the execution points whose trace is hi and 
whose execution has started with the same initial values for 
I and hi, there is at least one point whose execution has 
started with hi — I12 for any I12. Hence, (tt, 3) satisfies 
ESPM({/ii}). Similarly, (tt,4) |= ESPM({/ii}), (tt, 5) \= 
ESPM({/n,/i2}) and (tt,6) (= ESPM({Ai, ha}). Hence, P 
satisfies AKR. 



We now show how Def. 6.1 relates to a similar security 
condition called gradual release H). Although gradual re- 
lease considers a slightly different computational model, the 
basic idea is that the attacker knowledge is constant between 
release points. In the same spirit, we compute the attacker 
knowledge for a given trace and compare it with the infor- 
mation released over that trace. In particular, if the attacker 
knowledge is greater than what has been declassified so far, 
there is an insecure leakage. Given a program P, an initial 
store (To and a trace r originating from that store, we define 
the knowledge over the trace K(P, o-q, t) as the set of initial 
stores that could have led to that trace. 

JC(P,a ,T) = 
{er(7r, 0) I 3(tt, i) : <t(7T, 0) <To A trace (tt, i) = t} 

As pointed out by Askarov and Sabelfeld [1 J, this set corre- 
sponds to the uncertainty of an attacker observing trace r. 

When reaching a point whose trace is r and execution 
started in a certain number of release point have been 
executed. Let T> ao , T be the set of common release points 
that have been executed when reaching any point whose 
trace is r and execution started in <r an d ®<t .t = {4> I 
r-0 G P CT0)T }. Moreover, let lZ(P,ao,r) be the maximum 
knowledge authorized, or minimum uncertainty required, at 
a point whose trace is r for an execution started with the 
value store <To. 

TI(P,(7 ,t) = {a I CT« r cro A /\ a Q (4>) = a(4>)} 

Then, a program is secure if the information disclosed by 
observing a given trace is less than the information released 
over that trace; or if the required uncertainty is a subset of 
the attacker uncertainty. 



Definition 6.2 (ER). 

A program P satisfies epistemic release iff: 

Va ,r: H(P,a ,r)CK(P,a ,T) 



EXAMPLE 6.2. Consider the program in Example 6.1 over 
a boolean domain and (I, hi, hi) a triple corresponding to 
a store. Take Oo(0 = tt. Then, for the empty trace e, we 
have IC(P, ctq, e) = TZ(P, <tq, e) = {(tt, „, _)}. Now we pick 
t = tt and Jc[p,(To,tt) = K(P,a ,tt) = {(«,«,_)} 
since we release hi. Proceeding in this way it is easy to prove 
that P satisfies ER. Suppose that we don 't release hi at the 
first output. Then we have lZ(P,o~Q,tt) = {(tt, _, _)} which 
is clearly not contained in K,(P , (To, tt). 

Proposition 6.1 (Equivalence of AKR and ER). For all 

programs P: 

P |= AKR iff P |= ER 

PROOF. (=>) Assume P |= AKR. Let vr e M(P). We 
show that for all prefixes r of trace(Tr), 1Z(P, cr(ir, 0), r) C 
1C(P, o~(tt, 0), t). Consider (tt, i) such that trace(ir, i) = r 
and release points r^, • • • , r$ k being active. By Def. 6.1 
tt, i \= ESPM(£) where £ = {4>i,--- ,4>k}- Basically, it 
says that for all (tt',0) such that a(n,0) ~^ <r(7r',0) and 
A* 6£ *M)(0) = ^K,O)(0) (i.e. (tt',0) G K(P,a ,T)), 
there exists (tt' , i') such that trace (tt' , i') = r {i.e. (tt', 0) G 
K,(P, (To, T ))- This is exactly ER. 

(<=) Assume P |= ER, we show that P |= AKR. Pick 
any tt G A4(P) and (tt, i) G tt. Let <jq — <j(tt,0), t = 
trace(ir, i) and £ — {4>i, • • • , <pk} the set of release whose 
flag has been set. By Def. 6.1 AKR requires only ESPM(£) 



to hold at (tt, i). By hypothesis and Def. \6.2\ 1Z(A4, pq,t) G 
JC(A4, (To, r); therefore, for all tt' such that 00 ~t o(tt' , 0) 
and A</,e$ a o(<P) — &(k' , 0)(4>), there exists (tt' , i') such 



that trace (tt' , i') 
□ 



r. As £>cr , T C £, it implies ESPM(£). 
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Figure 4. Knowledge and Release 

Figure [4] explains the epistemic release wrt. the attacker 
knowledge. As before, the graphic corresponds to the knowl- 
edge about initial secrets that program semantics releases by 
means of the output trace r = 010203- The black solid line 



shows how the knowledge can possibly increase in each out- 
put point by disclosing information about the secrets. The 
red dotted line shows the secret information declassified in 
each epoch by release points r,. Since the dotted line remains 
above the solid line, the attacker knowledge is less than what 
the programmer releases by means of these points. Hence the 
program will satisfy the security condition. 

EXAMPLE 6.3. Consider a program P (variation of M 7V ) 
with secret, x,y £ h and in, I G I. P allows a local release 
point 7^ with declassification policy cf> — hash(h) mod 2 64 = 
in i.e. private variable secret can only be leaked comparing 
the least 64 bits of his hashed value to public input variable 

y- 

x := hash(h); y = x mod 2 64 ; 
if y = in then I := else I := 1; 
70; out(Z); 



P 



Applying Def. 6.1 one can see that for any fixed initial value 
of identifiers in, I, for all initial values h having property 4> 
the output value is 1 and all initial h having property ^<fi the 
output value is 2. However, if we append to P the following 
lines of code (where z £ I), it becomes insecure. 

P' ::= P; z := x mod 3; out(z) 

Indeed, pick hi, ho, satisfying (j) and hash(h\) mod 3 7^ 
hash(h,2) mod 3, then it violates the release policy. 



7. Declassification: When 

The last dimension of declassification addressed in this pa- 
per is the "when" dimension |28|. Following an approach 
similar to the one of Chong and Myers |9|, a temporal de- 
classification is a pair ((f> c , <j) D ) composed of a declassified 
property <f> D and a time predicate <f> which specifies when 
to declassify cf) D . During any execution, as soon as <p c holds, 
outsiders are allowed to learn <fi D now and in the future. Let 
$ be a set of temporal declassifications, <& c denotes the set 
of time predicates of $ ($ c = {4> c \ (<f) C ' ,(j) D ) € $}) 
and $ D denotes the set of declassified properties of <£>. It 
has to be noted that there are two types of temporal declas- 
sifications. If (j> G applies to values which are constant dur- 
ing the execution (such as the initial value of a given vari- 
able) or are expressed using init in our model, (4> G , 4> D ) 
describes for which executions an information can be out- 
put. A policy stating that a salary can be output only if it is 
lower than a given constant is an example of such an inter- 
execution temporal declassification. On the other hand, if <p c 
applies to variables whose value vary during the execution 
then (<j) C ,<fi D ) describes after which event an information 
can be leaked. An intra-execution temporal declassification 
is for example a policy stating that an information can be 
provided only after it has been paid for. 

and 



modulo temporal declassifications. It states that at any point 
(tti, ii) of any execution tti, for any execution TT2 started 
with the same initial public values (<j(tti, 0) a(w2,0)) 
and agreeing on declassifications (<j(tti,Q) r^d a(w2,0)) 
activated so far (3j : < j < i\ A o(-k\, j)(4> )), there 
should exists a point (n2, h) which has the same trace as 
(tti, h). 

Definition 7.1 (NITD). 

Let <E> be a a set of temporal declassifications, i.e. a set 
of pairs (4>f ,<f>f). A program P satisfies noninterference 
modulo temporal declassifications $ iff: 



V7Ti,7r 2 G M(P),V{-Kuh) € tti : 

/ (7(7n,0) « ? ct(tt 2 ,0) A \ 
(3j : 0< j < n A ( r(7r 1 ,j> c ) 
=>• er(7Ti,0) sa^D er(7r 2 ,0) 

3%2, trace(ii\, i±) — trace(~K2, 12 




In our framework, this complex predicate can be natu- 
rally expressed using once again the ESPM formula. Defini- 
tion [T2] provides the complete epistemic temporal formula 
that has to hold in order for a program P to satisfy absence 
of knowledge modulo temporal declassifications $. 

Definition 7.2 (AKTD). 

Let $ be a set of temporal declassifications. A program P 
satisfies absence of knowledge modulo temporal declassifi- 
cations $ iff: 



P 1= A 

*G-P(*) 



ESPM(* 




For any subset of declassification policies ^ C $, non- 
interference modulo declassifications ^ D (ESPM(5 ,D )) has 
to hold until the condition <j) C of an information not declassi- 
fied by ty holds (<fi D ^ ^ D ). In particular, noninterference 
(ESPM(0) by Prop. Br) has to hold until the first informa- 
tion is declassified. Generally, if ^> c is the set of all declas- 
sification conditions which have been triggered so far, non- 
interference modulo fy D and all superset of fy D h as to hold 
(V*f : ESPM(* D U *f )). However, by Prop. non- 



Following the standard definitions of NI (Def. 4.1 



NID (Def. 5.1 1, Def. |7.1| formally defines noninterference 



interference modulo ^ D subsumes noninterference modulo 
any superset of and is therefore the real policy enforced 
when the set of conditions triggered so far is 4" . 

Proposition 7. 1 (Equivalence of NITD and AKTD). 

For all programs P: 

P |= NITD iff P |= AKTD 

PROOF. Let < &( 7 r,i) Q & be the set of all temporal declassi- 
fications (<f) G , 4> D ) which have been triggered at execution 
point (it, i) (3j : < j < i A a(ir,j)(j) C ). 
(=>) For all execution points (tti, i\) and initial stores a® 



which have the same public values as the initial store of 
(tti, ii) (a(iri, 0) «j cr°J and agree on $f n>i ) (<r(ni,0) «$o 
<j\), there exists an execution tt2 started in the initial state cr" 
which has the same trace as (tti, i\) at some point (tt 2 , i 2 ). 
This follows from Def. 7.1 the fact that for all (f> not in 



.1 f/zere is no execution point preceding or equal to 



"(*■>*) 



holds, and o~\ 



(72 implies 



pn a 2 for all cj> D in ^^y 



The above statement corresponds to: ESPM($^. i ^n) holds 



for all point (jti, i±) (Def. \5.2\ . All the rest of the proof fol- 
lows from it. First showing that for any subset \& of $ and 
execution point, either ESPM('I') holds (1) or there exists 
4> £ ($ \ smc/i f/zaf /ioZcfe in f/ze current execution point 
or a preceding one (2). Then, AKTD is proved by contra- 
diction. If AKTD does not hold then there exists a subset 
of $ and an execution point (tt, i) such that ESPM(^) 
does not hold at (tt, i), which would contradict (1), and no 
<f> £ ($ \ is such that <j> holds in (tt, i) or a preceding 
point, which wou ld co ntradict (2). 

For any Prop. 5.2 implies that ESPM ($P U *) Wc/s 
af (7Ti, ii). Hence, for any ^> D §>P Vi ^y (1) holds, and 
a fortiori (1) or (2). For any \& £ ~P(^) not superset of 
<&r„ l il \, there exists cf) £ $(7ri,*i) \ ^) sucn that cf) belongs 
to $ \ \& anc/ ZioZcfc at (tt-l, i\) or a preceding state. Hence, 
for any ^ 2 i x )> holds, and a fortiori (1) or (2). 

Therefore, NITD 4-' 

(=>) 77ie proof follows in the reverse order the same equiv- 
alence relations as above; relying on the fact that for any 
point (tti, ii) ESPM($^ ~) has to hold. □ 



EXAMPLE 7.1. Let P, whose code is provided below, be a 
program that outputs a data after payment of its cost. 

while paid < cost do {paid :— paid + note} ; 
if cost > max then out("ok") else out(paid) ; 
out(data) 

Initial value stores (paid, note, max, cost, data) are of the 
shape (0, n, m, c, d) where n, m, c and d are integers. The 
intended security policy is that the initial values of paid, 
note and max are public and everything else should be 
kept secret, except for the cost which can be revealed 
only if it is not greater than max (note that if cost is 
not lower than max then the final value of paid must not 
be revealed either) and data which can be output after 
payment. In our framework, this policy is formalized by 
paid, note, max £ I and $ = {(tt, cost > max), (cost < 
max, cost), (paid > cost, data)}. The first declassification 
of cost > max may seem unnecessary, however in order 
to reveal the cost only if cost < max it is required to de- 
classify cost > max. Possible traces of P are: " " while 
still paying, "ok" and "ok d" if c > m, otherwise "x" 
and "x d" where x = n X |~c -j- n]. Obviously, any execu- 
tion point of P before the first output satisfies noninterfer- 



ence and ESPM (^) for all ^ (Prop. 5.1). However, as the 
time predicate of cost > max is tt, AKTD never requires 
ESPM(0) to be satisfied. Only ESPM({cost > max}) is 
required to be satisfied at the beginning of the execution if 
c > m, otherwise ESPM({cos£ > max, cost}) which is 
equivalent to ESPM ({cost}) as max contains a public data 
( any executions started with the same public data and cost 
have to agree on cost > max). After the loop, payment has 
been made and paid > cost implies that AKTD only re- 
quires ESPM({cos£ > max, data}) to be satisfied if c > m, 
and otherwise ESPM({cos£ > max, cost, data}) which is 
equivalent to ESPM({cos£, data}). If c > m then next traces 
are "ok" and "ok d". For any initial value store differing 
only on cost but such that cost > max, there exist an ex- 
ecution point whose trace is "ok" and another for "ok d". 
For executions where c < m and after the loop, AKTD only 
requires that executions started with the same initial value 
store can generate the same trace. Hence, P satisfies AKTD. 

8. Conclusion and Future Work 

We have pointed out a strong connection between temporal 
epistemic logic and several security conditions studied in the 
area of language -based security, including (state-based) non- 
interference and various flavors of declassification. We claim 
that temporal epistemic logic appears to be a well suited log- 
ical framework to express and study information flow poli- 
cies. There have been other attempts at building such gen- 
eral frameworks in the past, including McLean's selective 
interleaving functions ll22l and Mantel's modular assembly 
kit lfl8l . These approaches are quite different, and focus 
more on the modular construction of security properties than 
their extensional properties. Other notable attempts include 
Banerjee, Naumann and coauthors work on information flow 
logics (cf. [3] involving various specialized constructs to 
constrain data flow and dependencies between variables. An 
interesting feature of the epistemic account of information 
flow is that indirect flows are handled completely indirectly: 
it is never necessary to explicitly talk about variables on dif- 
ferent executions being in agreement, or depending on each 
other; information flow is fully captured in terms of the ef- 
fects of these dependencies on agents knowledge. 

Our approach is not yet general enough to handle general 
trace-based conditions. This paper considers programs with 
output events only, whereas most work on trace-based secu- 
rity conditions address traces consisting of both output and 
input events. There is no problem in principle to extend our 
approach to programs with both inputs and outputs, e.g. the 
interactive programs considered by Bohannon et al (6]|. Ex- 
tending the study in this direction to better understand the 
role and limits of temporal epistemic definability in security 
modeling is an important line of inquiry for future work. 

The reader will have noticed that we actually use only a 
very small fragment of the logic we set out to study. For in- 
stance, we only use the epistemic possibility operator L and 



never its dual K (epistemic necessity, knowledge), and never 
use nesting of epistemic connectives. The former is due to 
our focus on confidentiality rather than integrity properties. 
Temporal epistemic logic in its standard form may be richer 
than needed for the application domain; computational or 
proof-theoretical gains may be made by considering sparser 
languages. Related to this is the general problem of tractabil- 
ity, and if the temporal epistemic setting can be used to de- 
velop techniques for more precise information flow analysis. 
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